The hard drives most likely to expose your data aren’t your own

A minority of people expose the majority of personal data, mostly not their own.

Hard drives that provide prime material for identity theft are more likely to come from a company for which you are an employee or client than from your own computer, according to a study released by the Information Commissioner's Office in the UK on Thursday. ICO had a computer forensics company read 200 used hard drives using freely available tools, and found that files containing personal data like bank account info and tax forms were more likely to have come from an organization than an individual.

The 200 hard drives were sourced from computer trade fairs and online auction sites by the forensics company NCC Group. The drives were first searched without any particular software, and then searched again using "forensic tools freely available on the internet."

Fifty-two percent of the drives had been wiped, but 48 percent still had readable information, with 34,000 recoverable files. Of the 200 drives, only two had enough data to allow a new owner to steal the former owner's identity. Four more drives, however, contained information on employees and clients of four organizations, including health and financial details.

Recoverable data on those four hard drives included detailed reports with personal and sensitive data, job applications, copies of passports, birth certificates, and drivers' licenses, tax forms, full bank account information, and health information. ICO noted that the drives were "either personally or corporately owned," and the data they contained was the result of unauthorized working from home in some cases.

ICO stated that it had since contacted the four organizations associated with each of the drives, and all four had assured ICO that new strategies had been put in place to prevent the same level of data exposure.

While four hard drives out of 200 are a small number, the fact that they were company property suggests that each one could have exposed data and facilitated identity theft for large groups of people. That the data recovery required no specialized tools is particularly troubling. Sadly, individuals often have no choice but to trust an employer or business with sensitive information, and there's little they can do to ensure their data is treated properly once in corporate hands.